Yesterday my vServer was shut down by my provider cause of some unusual load. They told me there were multiple processes running with the name dtdfs. I also see in the log that there was some some high network traffic. I now changed all passwords and restarted the server. I also tried to find a program named "dtdfs", but without any success. I also unsuccessfully grep'd the logs for that name.

I didn't have any process logging applications manually installed (it's Debian system). It isn't a highly important server (just a development server hosting some git repos), but I'd like to learn from that and find out what happened.
Where should I start? What about that dtdfs process? Is there a way afterwards to get more info about that process?

4 Answers
4

The /tmp/dtdfs being run from your /tmp, which I also found on a number of systems at the same time/date turned out to be a proftpd exploit, and dtdfs was part of a botnet flooding program being run in /tmp. The ip coded in it traced back to a UK address, if you have a plesk server then parallels released a hotfix for it just a few days ago. If its just stand alone proftpd on debian or ubuntu then proftpd's site had the hotfix posted as well a few days back. Its always best to not run these services at all if your not even using them, or turn it on when you do need it, typically proftpd has been pretty good IMO up until this one.

Exactly, Plesk and ProFTP. The joke is that there are millions of options with Plesk, but not one to turn off FTP. I disabled it now from manually. Thanks for the detailed explanation and the botnet info.
–
ZardozNov 18 '10 at 4:21

While a process is running, /proc/{pid}/exe is a symbolic link to the executable it originally ran from, but after the fact you're pretty much out of luck.

As for this mysterious "dtdfs", it could be anything, even /bin/ls ... a process can change its commandline after it starts, which is probably what was seen if your provider was using ps to investigate.